Jetpack and The GDPR: What You Need to Know

Europe’s General Data Protection Regulation (aka the GDPR) is a new and far-reaching privacy regulation, built on a number of fundamental principles. Among these principles are personal data ownership, transparency, security, and individual choice.

At Automattic, we have a long-standing commitment to the principles of the GDPR, and have honored many of them — including data minimization, control, portability, and security — before they were required by law.

Today, we wanted to take some time to explain how Jetpack has been built — and recently improved — to honor the important rights guaranteed by the GDPR. We also wanted to share how you can use some of the new features and tools in Jetpack and WordPress core to honor the rights and principles of the GDPR for your own site visitors.

Before we get started, it’s important to remember one thing: the GDPR is based on principles, not rules. This means that there is no standard checklist to follow, and no merit badge awarded for compliance if you check a few boxes.

The beauty of WordPress is that every site is unique and different — and because of this, no two site owners will or should take the same steps to comply with the privacy laws of their country or the countries that their site visitors come from.

This may sound a little scary, but we’re all in this together. As one of millions of WordPress site owners, you’re part of a larger community that is focused on understanding and honoring individuals and their rights. GDPR requirements might be intimidating, but they’re not insurmountable if we all work together.

The WordPress (and Jetpack) way

WordPress is built on a foundation of openness and transparency, and Jetpack is no different. Unlike many proprietary products or services, you can look directly at our code.

At the same time, Jetpack includes a powerful package of hosted services. When you set up Jetpack, your site is connected to Automattic’s servers and shares site data with Automattic. This is done in order to power features like site backups, speed and performance, and security.

With great power comes great responsibility, and we take our responsibilities as stewards of your data very seriously. Our responsibilities begin with being fully transparent about the data we collect, use, store, share, and process on your behalf, starting when you first connect your site.

We understand that by downloading Jetpack and connecting your site to Automattic, you have placed your trust in us to keep your data secure, private, and use it in ways that you understand, expect, and agree to.

With the GDPR as a framework, we’ve put a lot of time, thought, and effort into upping our game on transparency, and building new features and tools to comply with new privacy regulations like the GDPR.

Jetpack’s privacy features in detail

Here is a brief tour of the Jetpack features that we’ve updated and improved with the GDPR in mind.

Our key goals for these improvements are to add greater transparency around Jetpack’s data habits, and give Jetpack users more control over how Jetpack uses their data.

To enhance the transparency of Jetpack, we’ve created a number of new documents, notifications, and explainers that give Jetpack users more information about the data Jetpack collects and uses. These include:

You can read this doc anytime, but we’ve included a link to it on the connection screen, so that the information is available and easy to find right at the time Jetpack syncs your data to our servers.

Jetpack modules

Each feature or “module” in Jetpack uses different data. To help make this information clearer, we’ve added a section to the support page for each module to detail the “Data Used”, “Activity Tracked” and “Data Synched” for each module. We’ve also broken down this information to distinguish between data about Jetpack site owners, and visitors to Jetpack sites.

It is important to note that Jetpack syncs all the data required by all of its modules, whether they are activated or not, to Automattic’s servers.

To make this information easier to find, we’ve added pop-up notifications, with links to each feature privacy statement, right in the Jetpack dashboard:

Jetpack Privacy Center

To make it easier to find all of this new and updated information, we created the Jetpack Privacy Center. Here, you can learn more details about all of our privacy related features and documents.

We’ll continue to add more information to the Privacy Center as we develop and launch new privacy-focused features.

Giving you more control

To give Jetpack users more control over how their data is used for analytics, we’ve also added:

Analytics opt-out

Like many services, we monitor certain user activities that take place within our products — like page views and clicks on our dashboards — to better understand how our products are used. However, we offer a way to opt out of this usage tracking.

Activating or de-activating modules

Jetpack syncs data from your site to Automattic’s servers when you connect your site. After this connection, the data that Jetpack uses is largely determined by the modules that you have activated.

In addition to giving you more information about what data each Jetpack module uses, we have also added better, clearer information about how to turn each module on or off. You can find this information on the support page for each module.

Access to your data

You can now request a copy of the data that Automattic has associated with your wordpress.com account. To do so, please contact Jetpack Support, and a Happiness Engineer will help you with your request.

Disconnect Jetpack and close your WordPress.com account

If you’d like to disconnect your Jetpack site from Automattic’s servers, or close your account with us for good, we would be sad to see you go… but you do have the tools to do so. Just follow these steps to disconnect your site, and these steps to close your account.

Tools for ongoing compliance

Just as Jetpack is providing enhanced transparency and tools to honor your privacy rights as a site owner, you should do the same for visitors to your site. Under the GDPR, you should let your site visitors know how you collect, store, and use their data in a clear and transparent way. You should also let site visitors request a copy of their data, as well as delete their data (if you store it).

Jetpack and WordPress now include tools to help you meet these commitments. These include:

Privacy Policy Helper

We developed a new tool that makes it easier to gather the information you need to build a clear and accurate privacy notice for your site.

The Privacy Policy Helper allows you to select which Jetpack features you’ve activated on your site, then generates the appropriate visitor-focused privacy policy content and copies it (in text or HTML format) to your clipboard.

This tool will be integrated directly into Jetpack in a future release.

Cookies and Consent widget

The new Cookies and Consent widget creates a notification banner for your site to alert visitors to the cookies that you’re setting when they visit. This notification is especially important for sites that participate in Jetpack Ads, or run other advertisements.

The widget includes some new, consent-oriented functionality. It also lets you specify a link to your privacy and cookie policy, making it easy for visitors to find. If your site has a Privacy Policy page set (introduced in WordPress 4.9.6), we’ll automatically populate the widget’s settings with the URL.

We also added a new setting letting you control the expiration date of the consent banner, plus a new filter, jetpack_disable_eu_cookie_law_widget, that will disable the banner entirely.

Access and deletion requests

An important piece of the GDPR is honoring requests from registered users on your site to access or delete their data. WordPress now includes tools to assist you with these requests.

Export Personal Data lets you export a ZIP file of a user’s personal data from WordPress and certain plugins. Erase Personal Data lets you delete a user’s personal data, including data collected by participating plugins. You can find both of these features on your WordPress dashboard (again, as long as you’re running WordPress 4.9.6).

It is important to note that Jetpack does not integrate with these tools yet, but may in the future. For the time being, please see “Access to your data” above in order to request a copy of the data Jetpack has collected for you or a user on your site, or to request its deletion.

Honoring your rights globally

As we wrap up this post, we’d like to make one final note: we think that your rights and those of your site users are global, not specific to a certain geography. All of the tools and features we’ve included in Jetpack apply and work globally by default.

If you’d like to delete your account, request your data, or choose whether to participate in our analytics system, you can. Every single one of these features are available to you no matter where you (or your website) lives.

If you have questions about any of the choices we’ve made, tools or features we’ve created, or feedback on how we can make this all a little bit easier, we’d love to hear from you in the comments.

Sorry to hear about the experience you’ve had with Jetpack! Many of our developers and Happiness Engineers use Firefox. We’re always happy to help if you’d be willing to give us another chance – just send us an email.

So, there is no information on how to access the “cookies and consent” widget – I can’t find it. All the settings used to be on one page – now I have to click on tabs and I can’t find anything remotely called that. : /

The article does not make it clear which feature (policy maker or cookies and consent) will be available in a future release.

Hi, please let me know if I am disabling Stats module, the tracking pixel is still sending data to WordPress.com servers? If so, then disconnecting JetPack will silence that tracker? Or uninstalling JetPack is the only way to get rid of that tracker?

I had hope you would add the possibility on contact form to NOT store any information, in the “Feedback” section in Dashboard, from senders using the website contact form. Due to GDPR , and the shear amount of information in the Dashboard “Feedback” section, I really dont like to store any data at all, within WordPress. I only expect them to send via the contactform and work in this respect like Contact Form 7, not saving anything, just forwarding it right away to the email adress